fred44nl
Posts: 292
Joined: Sat Jun 25, 2016 11:59 am
Location: Scharendijke, NL

Re: Disabling IPV6, yep that old Chestnut again..

Sun Jan 01, 2017 3:44 pm

may be a bit off-topic, but why is the download speed op ipv6 so much lower than ipv4 ??
headless RPi 3B running from usbhdd.

User avatar
mahjongg
Forum Moderator
Forum Moderator
Posts: 12513
Joined: Sun Mar 11, 2012 12:19 am
Location: South Holland, The Netherlands

Re: Disabling IPV6, yep that old Chestnut again..

Sun Jan 01, 2017 3:52 pm

fred44nl wrote:may be a bit off-topic, but why is the download speed op ipv6 so much lower than ipv4 ??
that's a loaded question! :evil: don't do that! there is no proof at all that IPV6 connections in themselves are slower than IPV4 connections.

Heater
Posts: 14218
Joined: Tue Jul 17, 2012 3:02 pm

Re: Disabling IPV6, yep that old Chestnut again..

Sun Jan 01, 2017 3:57 pm

It isn't.

When I visit http://ipv6-test.com/speedtest/ I get almost exactly the same speeds. About 35Mbit/sec.

Of that can vary greatly depending the server at the other end and the route etc.
Memory in C++ is a leaky abstraction .

User avatar
jojopi
Posts: 3103
Joined: Tue Oct 11, 2011 8:38 pm

Re: Disabling IPV6, yep that old Chestnut again..

Sun Jan 01, 2017 4:13 pm

I don't know if IP6 is the problem in this case, but disabling it removes one possibility of error.
Short answer: If it causes a problem, it is a problem.
We could say that about any random networking configuration, such as decreasing MTU or disabling ICMP redirects.

If the ISP does not support IPv6 correctly, then the best solution would be for the router never to give out IPv6 addresses, rather than for every device in the LAN to be configured not to request them.

All evidence from the OP so far is that IPv6 is not active, in any case.

Since the error is "Network is unreachable", we have some kind of routing issue. The first thing to check should be the Pi's local routing table. How do the outputs of "ip -4 route" and "ip -6 route" compare between the non-working (bootup) and working (manual dhclient) states?

apolonio
Posts: 19
Joined: Sat Mar 30, 2013 6:52 am

Re: Disabling IPV6, yep that old Chestnut again..

Sun Jan 01, 2017 5:06 pm

I don't hate IPV6, I am just not ready to learn it. Which is why I disable it

When I troubleshoot network issues, one of the first things I disable is ipv6, just to eliminate that it is a potential problem. I use the following in my sysctl.conf

Code: Select all

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
From a security view, I don't want another stack that my device can access the Internet with, nor do I want people being able to initiate access to my device from the Internet (I also disable uPNP).

Once again I don't understand ipv6 but don't you usually get a Internet routable ipv6 IP address where the Internet can now access your device on your network. At least with an ipv4 you usually have to NAT an RFC1918 address which is non routable on the Internet.

Martin Frezman
Posts: 1020
Joined: Mon Oct 31, 2016 10:05 am

Re: Disabling IPV6, yep that old Chestnut again..

Sun Jan 01, 2017 5:22 pm

Heh heh.

The truly funny thing is that it wasn't so very long ago that we considered the security provided by NAT to be a GOOD THING and to have "all of our devices" directly addressable by anyone on the Internet to be an unqualified BAD THING.

Again, heh heh...
If this post appears in the wrong forums category, my apologies.

User avatar
Woflie
Posts: 23
Joined: Thu Dec 29, 2016 9:17 pm
Location: Somewhere in Yorkshire..

Re: Disabling IPV6, yep that old Chestnut again..

Sun Jan 01, 2017 7:30 pm

OK guys, put the boxing gloves away..

I stated "damn" IPV6 at the start because I never met it before and never needed it, I know little of how it works or more sepcifically why it doesn't, and still see no reason why I would need it when everything has always worked just fine and dandy without it.

The Pi can connect to everything (I've tried so far) on my LAN, but will not connect to anything on the WAN. ie the Internet, giving me the errors shown in the pictures I have added earlier "Network Unreachable". IPV6 stands accused of my problem because when I force IPV4 upon the Pi everything then works fine and as I expect it to. So, maybe it is not my disabling of IPV6 that works here but forcing IPV4 over whatever it is that is going wrong.

Either way, as someone said earlier, saying that yours works fine and there is nothing wrong is not helpful, and so far there has been few responses with anything for me try, only things to look at with the hope of them pointing to the problem, and so far apparently they haven't.

But, all that said and since no one appears to actually have any ideas for me to move forward with, I suppose what I could simply ask at this point is..

How can I get the Pi to run the command line, " sudo dhclient -4 -v wlan0 " automatically at startup (be it generally frowned upon or otherwise).
:
Wolfie
:
Time flies like an arrow, fruit flies like a banana..

User avatar
jojopi
Posts: 3103
Joined: Tue Oct 11, 2011 8:38 pm

Re: Disabling IPV6, yep that old Chestnut again..

Sun Jan 01, 2017 7:36 pm

jojopi wrote:Since the error is "Network is unreachable", we have some kind of routing issue. The first thing to check should be the Pi's local routing table. How do the outputs of "ip -4 route" and "ip -6 route" compare between the non-working (bootup) and working (manual dhclient) states?

Heater
Posts: 14218
Joined: Tue Jul 17, 2012 3:02 pm

Re: Disabling IPV6, yep that old Chestnut again..

Sun Jan 01, 2017 7:38 pm

Martin Frezman,
The truly funny thing is that it wasn't so very long ago that we considered the security provided by NAT to be a GOOD THING and to have "all of our devices" directly addressable by anyone on the Internet to be an unqualified BAD THING.
Yes, it's a good thing to keep people out of ones machines and network.

The funny thing, well sad actually, is that people used to believe the myth that NAT provided any security. That is an idea network and security people have been warning against for ages. NAT was certainly not intended as a security measure and arguably adds security risks.

The security that is claimed for NAT is better carried out by a firewalls.
Memory in C++ is a leaky abstraction .

Heater
Posts: 14218
Joined: Tue Jul 17, 2012 3:02 pm

Re: Disabling IPV6, yep that old Chestnut again..

Sun Jan 01, 2017 8:31 pm

@apolonio,
...don't you usually get a Internet routable ipv6 IP address where the Internet can now access your device on your network.
I don't know so much either. Certainly my DLINK router gives publicly accessible IPv6 addresses to all device on my LAN. Which is as I expect.
At least with an ipv4 you usually have to NAT an RFC1918 address which is non routable on the Internet.
With one click of a button in my router config interface I can disable such forwarding. That is what firewalls are for.

You can probably ssh into my PI 3:

[email protected]:14ba:8094:6400:f789:ea3b:7f12:9a7c
Memory in C++ is a leaky abstraction .

Heater
Posts: 14218
Joined: Tue Jul 17, 2012 3:02 pm

Re: Disabling IPV6, yep that old Chestnut again..

Sun Jan 01, 2017 8:38 pm

Woflie,
OK guys, put the boxing gloves away..
Oh alright. Let's be civilized about it. Pistols at dawn it is then :)

As I said, it works for me. Yes, that is not helpful. I just wish somebody could spot why it does not work for you.
Memory in C++ is a leaky abstraction .

User avatar
DougieLawson
Posts: 36810
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: Disabling IPV6, yep that old Chestnut again..

Sun Jan 01, 2017 9:12 pm

Heater wrote: You can probably ssh into my PI 3:

[email protected]:14ba:8094:6400:f789:ea3b:7f12:9a7c
Nope. Got connection refused.
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

User avatar
Woflie
Posts: 23
Joined: Thu Dec 29, 2016 9:17 pm
Location: Somewhere in Yorkshire..

Re: Disabling IPV6, yep that old Chestnut again..

Sun Jan 01, 2017 9:13 pm

Hi Heater, no worries, it just looked like everyone was using this thread to dig up old arguments which was neither any help for me nor anyone.. Jeez guys chill, we all just want the same thing at the end of the day, a working Pi.

Oh and everyone... it's Wolfie, but someone else has beaten me to the name (Grr).. so either will do I suppose. :D anyway back to the problemo..

Today I have tried to use the internet and traceroute to capture the results but I get a different error, why? I know not, I hadn't altered anything since the day before, when I added those 'disable' lines to the systcl.conf file. Damn this technology (see, I use that curse all the time).

But, anyway I have now just been and remarked all those lines to disable them.. It hasn't gone back to how it was.. the ifconfig hasn't changed, there is still no IPV6 showing for any of the interfaces (only WiFi is connected anyway).
But it seems to have a DNS problem today..? I hope this isn't a backward step..?

[attachment=1]ifconfig trace.jpg[/attachment]

[attachment=0]google dns.jpg[/attachment]

So I haven't got as far as the IPV4 and IPV6 route just yet.. :roll:
Attachments
google dns.jpg
google dns.jpg (29.47 KiB) Viewed 3597 times
ifconfig trace.jpg
ifconfig trace.jpg (55.11 KiB) Viewed 3597 times
Last edited by Woflie on Sun Jan 01, 2017 9:23 pm, edited 1 time in total.
:
Wolfie
:
Time flies like an arrow, fruit flies like a banana..

apolonio
Posts: 19
Joined: Sat Mar 30, 2013 6:52 am

Re: Disabling IPV6, yep that old Chestnut again..

Sun Jan 01, 2017 9:23 pm

Heater wrote:@apolonio,
...don't you usually get a Internet routable ipv6 IP address where the Internet can now access your device on your network.
I don't know so much either. Certainly my DLINK router gives publicly accessible IPv6 addresses to all device on my LAN. Which is as I expect.
At least with an ipv4 you usually have to NAT an RFC1918 address which is non routable on the Internet.
With one click of a button in my router config interface I can disable such forwarding. That is what firewalls are for.

You can probably ssh into my PI 3:

[email protected]:14ba:8094:6400:f789:ea3b:7f12:9a7c
Its stuff like that I just don't know. I am more familiar with ipv4 than ipv6. I honestly don't know if you are being sarcastic or not. I do expose some of me devices to the Internet and I know to secure the service (maybe use ssh keys, limit to SSH2, dont allow SSH TCP forwarding etc) then I can assign it a public IP via NAT and open up port 22.

But I worry if I spin up a device it grabs a live IP suddenly that device can act as a jump off point for people to access other device on my network, especially off a dual stack machine on my network.

User avatar
DougieLawson
Posts: 36810
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: Disabling IPV6, yep that old Chestnut again..

Sun Jan 01, 2017 9:25 pm

Your traceroute isn't going anywhere near any IPv6 addresses, because your problem is that you've go no IPv4 route to the public internet.

Get the results from the following

ip addr
ip route
ping -c3 $(ip route | awk '/default/ {print $3}')
ping -c3 8.8.8.8
ping -c3 google.com
cat /etc/resolv.conf
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

apolonio
Posts: 19
Joined: Sat Mar 30, 2013 6:52 am

Re: Disabling IPV6, yep that old Chestnut again..

Sun Jan 01, 2017 9:38 pm

Heater wrote:Martin Frezman,
The truly funny thing is that it wasn't so very long ago that we considered the security provided by NAT to be a GOOD THING and to have "all of our devices" directly addressable by anyone on the Internet to be an unqualified BAD THING.
Yes, it's a good thing to keep people out of ones machines and network.

The funny thing, well sad actually, is that people used to believe the myth that NAT provided any security. That is an idea network and security people have been warning against for ages. NAT was certainly not intended as a security measure and arguably adds security risks.

The security that is claimed for NAT is better carried out by a firewalls.
Some firewalls do NAT.

I have a modem that gives out both an IPV4 and IPV6 address. The IPV4 address is RFC1918, I am not sure if someone can access the IPV6 address from the outside. So I consider that my insecure network. I put my firewalls WAN interface on that network and I can assign it one of my public IPV4 address and NAT to a protected device behind the firewall.

User avatar
DougieLawson
Posts: 36810
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: Disabling IPV6, yep that old Chestnut again..

Sun Jan 01, 2017 9:43 pm

All public IPv6 addresses are currently assigned in the 2000::/16 to 2FFF::/16 range.
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

Heater
Posts: 14218
Joined: Tue Jul 17, 2012 3:02 pm

Re: Disabling IPV6, yep that old Chestnut again..

Sun Jan 01, 2017 9:56 pm

DougieLawson,
Nope. Got connection refused.
Ah, thanks for trying. If you get that it just shows that IPv6 is not a problem. :)

I just tweaked my firewall settings a bit. To allow IPv6 forwarding (I hope). Seems it was only forwarding IPv6 ICMP before. Which is why I can ping it from outside via this service: http://www.subnetonline.com/pages/ipv6- ... 6-ping.php

I'd love it if you could try again.
Memory in C++ is a leaky abstraction .

mfa298
Posts: 1387
Joined: Tue Apr 22, 2014 11:18 am

Re: Disabling IPV6, yep that old Chestnut again..

Sun Jan 01, 2017 9:59 pm

Dealing with the issue at hand first.
Woflie wrote:Hi Heater, no worries, it just looked like everyone was using this thread to dig up old arguments which was neither any help for me nor anyone.. Jeez guys chill, we all just want the same thing at the end of the day, a working Pi.
..
Today I have tried to use the internet and traceroute to capture the results but I get a different error, why? I know not, I hadn't altered anything since the day before, when I added those 'disable' lines to the systcl.conf file. Damn this technology (see, I use that curse all the time).
..
So I haven't got as far as the IPV4 and IPV6 route just yet.. :roll:
I thought you had solved the issue previously by manually running dhclient (maybe not a permanent fix, but the start of one at least)

Along with DougieLawson's set of commands it might be useful if you can summarise what things you've changed in trying to get the network working. The contents of /etc/network/interfaces might also be of use. It may be best to run the various commands after a clean reboot.

If you've got a spare SD card there may also be some benefit in trying a clean raspbian image and see what issues that shows.


Dealing with some of the other comments.
Martin Frezman wrote:Short answer: If it causes a problem, it is a problem.

See my earlier post for a situation in which it was a problem.
In most cases the problem is likely more one of something else being mis-configured rather than IPv6 as such. You could have similar problems on an IPv4 only network if something is mis-configured. Blaming IPv6 because it's the (relatively) new thing is more of an issue. (IPv6 really isn't that new - I first used it almost at least around 17 years ago and it was certainly around in some form before that).
Martin Frezman wrote: 2) There have been at least 2 situations in my experience where ipv6 was screwing things up and the solution was to disable it. Since the number of times that I've said "Hey! Wow! This is really cool and ipv6 allowed me to do something I couldn't otherwise do." is zero (Yes, zero!), I cannot conclude anything other than that ipv6 is a bad thing and is TBA.
The main reason for IPv6 (or more against IPv4) is that the IPv4 internet has run out of public addresses and that IPv4 is really only continuing due to hacks (NAT being one of them). There are now a number of ISPs using CG-NAT (Carrier Grade NAT) where your home router is already behind a NAT device, this means there's now two levels of abstraction between you and the rest of the internet. Of course ISPs like that as it has little impact on simple things like HTTP but further disrupts things where data is shared direct between end users (the various protocols that benefit from direct connections between the end points e.g. Skype, Bitcoin, Bittorrent).
apolonio wrote:I don't hate IPV6, I am just not ready to learn it. Which is why I disable it
...
From a security view, I don't want another stack that my device can access the Internet with, nor do I want people being able to initiate access to my device from the Internet (I also disable uPNP).
You might want to start learning IPv6, A couple of the features it adds are Privacy and end to end security. Privacy is added by creaating temporary addresses that change over time meaning you only know the subnet I'm connecting from not how many devices there are on that network (For the home user this is a similar level of privacy as you get with IPv4+NAT). With the IPv4 internet various protocols need to be partially open to deal with the hack that is nat (various protocols (particularly voip type protocols) require intelligence in the router to be able to automatically forward ports to make things work - this is totally separate to the evil that is uPnP).
fred44nl wrote:may be a bit off-topic, but why is the download speed op ipv6 so much lower than ipv4 ??
For some people that's going to be a factor of the IPv6 network being overlayed (in the form of tunnels) on top of the IPv4 network. As IPv6 get's more native connectivity this will improve. Tunnels mainly only exist at the edge now and most (if not all) of the backbone links are native IPv6. As ISPs roll out native IPv6 connections to end users these tunnels will reduce (one of the tunnel brokers (https://www.sixxs.net/news/2015/#callyo ... ripv6-1201) has stopped accepting signups as native IPv6 is becoming more widespread.
apolonio wrote: Its stuff like that I just don't know. I am more familiar with ipv4 than ipv6. I honestly don't know if you are being sarcastic or not. I do expose some of me devices to the Internet and I know to secure the service (maybe use ssh keys, limit to SSH2, dont allow SSH TCP forwarding etc) then I can assign it a public IP via NAT and open up port 22.

But I worry if I spin up a device it grabs a live IP suddenly that device can act as a jump off point for people to access other device on my network, especially off a dual stack machine on my network.
For the most part the numbers are just bigger, there's a few things that are different (arp is replaced with ndp). As has been said elsewhere true security comes through a firewall (and that's also true for IPv4+NAT). With IPv4 we get some security by obscurity through NAT, in IPv6 we get some security by obscurity through the massive subnet size. The current IPv4 internet has 2^32 addresses, each of my IPv6 subnets has 2^64 addresses in them (In other words each of my IPv6 subnets is Internet^2 in size) - that's a lot of addresses to scan to find a device!

mfa298
Posts: 1387
Joined: Tue Apr 22, 2014 11:18 am

Re: Disabling IPV6, yep that old Chestnut again..

Sun Jan 01, 2017 10:02 pm

Heater wrote:I'd love it if you could try again.
Looks accessible now

Code: Select all

ECDSA key fingerprint is d7:46:ee:4c:62:28:32:be:07:5e:61:ca:db:4f:3c:9a.

Heater
Posts: 14218
Joined: Tue Jul 17, 2012 3:02 pm

Re: Disabling IPV6, yep that old Chestnut again..

Sun Jan 01, 2017 10:11 pm

@apolonio,

No, no sarcasm.
But I worry if I spin up a device it grabs a live IP suddenly that device can act as a jump off point for people to access other device on my network, especially off a dual stack machine on my network.
A valid concern.

If I plug my PC or Pi directly into the hole in the wall that is my internet connection I will get a "live" IP address. It's also a public IP address. So anyone in the world can now try to connect to my machine.

If I want to restrict connection attempts I have to make use of firewall rules in my PC/Pi.

Of course, like many, I don't do that. I have a router between my PC/Pi and that hole in the wall. The firewall rules are in that router.

All of this is required and nothing to do with NAT.

NAT is just an extra pain in the neck we have to fiddle with in the IPv4 world.
Memory in C++ is a leaky abstraction .

User avatar
DougieLawson
Posts: 36810
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: Disabling IPV6, yep that old Chestnut again..

Sun Jan 01, 2017 10:13 pm

mfa298 wrote:
Heater wrote:I'd love it if you could try again.
Looks accessible now

Code: Select all

ECDSA key fingerprint is d7:46:ee:4c:62:28:32:be:07:5e:61:ca:db:4f:3c:9a.
I got as far a prompt for password. There should see a couple of attempts from my IPv6 network in HE's subnet 2001:470::/32 in /var/log/auth.log

NAT is something that came into being because ISPs were too stingy to spend money on doing IPv6 properly.
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

Heater
Posts: 14218
Joined: Tue Jul 17, 2012 3:02 pm

Re: Disabling IPV6, yep that old Chestnut again..

Sun Jan 01, 2017 10:16 pm

@apolonio,

No, no sarcasm.
But I worry if I spin up a device it grabs a live IP suddenly that device can act as a jump off point for people to access other device on my network, especially off a dual stack machine on my network.
A valid concern.

If I plug my PC or Pi directly into the hole in the wall that is my internet connection I will get a "live" IP address. It's also a public IP address. So anyone in the world can now try to connect to my machine.

If I want to restrict connctions I have to make use of firewall rules in my PC/Pi.

Of course, like many, I don't do that. I have a router between my PC/Pi and that hole in the wall. The firewall rules are in that router.

All of this is required and nothing to do with NAT.

NAT is just an extra pain in the neck we have to fiddle with in the IPv4 world.

Yes, some firewalls do NAT. Most household router do both. IPv4 does not get NATed and forwarded to a machine unless you configure it so. Same with IPv6 except with out the messy NAT part.
Memory in C++ is a leaky abstraction .

Heater
Posts: 14218
Joined: Tue Jul 17, 2012 3:02 pm

Re: Disabling IPV6, yep that old Chestnut again..

Sun Jan 01, 2017 10:24 pm

@mfa298 and DougieLawson,

Hey thanks.

I can see some failed logins for user pi:

Code: Select all

$ grep failure    /var/log/auth.log
Jan  2 00:08:28 raspberrypi3 sshd[4362]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=2001:1234:1f09:abcd:ba27:987:fe14:4670  user=pi
Jan  2 00:08:39 raspberrypi3 sshd[4362]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=2001:1234:1f09:abcd:ba27:987:fe14:4670  user=pi
Jan  2 00:08:51 raspberrypi3 sshd[4369]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=2001:1234:1f09:abcd:ba27:987:fe14:4670  user=root
It's nice to know every thing works as I imagined it should!
Last edited by Heater on Sun Jan 01, 2017 11:16 pm, edited 1 time in total.
Memory in C++ is a leaky abstraction .

User avatar
Woflie
Posts: 23
Joined: Thu Dec 29, 2016 9:17 pm
Location: Somewhere in Yorkshire..

Re: Disabling IPV6, yep that old Chestnut again..

Sun Jan 01, 2017 10:36 pm

Hi Dougie (I've missed out some of the in between replies since they seem to have no bearing here)..
Thanks for those insights, some of the commands I know and love, others I admit, were a mystery to me. I have run them as you asked and here are the results, they were run with the network in the fault condition.

[attachment=0]dougie commands.jpg[/attachment]

I can see that some of them appear to have a syntax problem, I hope I copied the command correctly.

***************************************************************************************************************************************************8

Hi MFA

Yes I can force it to work with the dhclient command, but I would rather find the issue and only cover it up when all else fails, but as asked earlier.. There must be some way of implementing the dhclient command automatically at boot up instead of having to type it in manually at every power up.
The lines that I had added to the sysctl.conf file were rem(arked) out with a "#" earlier, so should be disabled.

The only other thing altered was to disable (#) a line in /boot/config.txt which forces HDMI output (I wanted AV).

I must admit that I did expect the Network to work (properly) straight out of the box.. it's my only disappointment so far.
Attachments
dougie commands.jpg
dougie commands.jpg (60.15 KiB) Viewed 3096 times
Last edited by Woflie on Sun Jan 01, 2017 10:49 pm, edited 2 times in total.
:
Wolfie
:
Time flies like an arrow, fruit flies like a banana..

Return to “General discussion”